How to: Encrypt your Home directory in Arch Linux

Encrypting your data is an important step to protect your personal information while the data is not in use. There are multiple ways of encrypting your data. Full-disk encryption, using a container file that contains specific files that should be encrypted, encrypting single files or encrypting an entire directory.

I chose the latter approach of encrypting only my home directory since I don't store any important information outside of my home directory and /tmp is mounted as a ramdisk (tmpfs) with systemd so encryption of temp files is not a concern for me.

The most convenient way of doing this is by using ecryptfs. To start log-out the user whose home directory you want to encrypt (I logged into my root account to continue the setup but you can use any user that can elevate to root privileges). Then we need to install ecryptfs utils and it's dependencies (those are not installed automatically for some reason).

pacman -S ecryptfs-utils rsync lsof

After that you need to load the ecryptfs kernel module with modprobe.

modprobe ecryptfs

Now we run the migrate-home command to encrypt our user's directory. This assumes you store your user data in /home and don't have any non-standard setup. If you do it's best to just follow the Arch wiki's page on ecryptfs.

This command will promt you for the user's passphrase and start the encryption process.

ecryptfs-migrate-home

When that finishes we need to ensure the ecryptfs kernel module is loaded by systemd on boot since this is not done automatically.

echo 'ecryptfs' > /etc/modules-load.d/ecryptfs.conf

Now you should log out of your root account (do not reboot!) and log into your user account again.

You should now have an empty home directory with instructions how to decrypt your data. First we need to unwrap the passphrase then decrypt our information. Ecryptfs generates a long secure passphrase that is used to encrypt your user data. This passphrase is encrypted with the login password of your user account.

ecryptfs-unwrap-passphrase
ecryptfs-mount-private

Now you should find that all your files are accessible again. To enable automatic encryption during login we need to integrate ecryptfs into our PAM configuration.

Open the /etc/pam.d/system-auth file and edit is as follows:

# add this line AFTER the line "auth required pam_unix.so"
auth required pam_ecryptfs.so unwrap
# add this line ABOVE the line "password required pam_unix.so"
password optional pam_ecryptfs.so
# add this line AFTER the line "session required pam_unix.so"
session optional pam_ecryptfs.so unwrap

After doing that your configuration file should look something like this:

After you made sure your encrypted files are accessible and login decryption works as you expect it to, remove the backup folder ecryptfs added in your /home folder. For me it was named benni.G9OYTmqR.

This folder contains an un-encrypted version of all your files that was automatically copied in case the installation went wrong. If you messed up your set-up and want to try again simply delete you home folder, copy the backup in place and remove the configuration data in /home/.ecryptfs.

If you use swap files or a swap partition you should also look into encrypting that with ecryptfs. Also please note that a full disk wipe is always advisable before encrypting data to avoid having unencryped "deleted" data on your HDD. You could also look into overwriting empty spaces on your harddrive after encryption instead. Personally I use an SSD and run trim to remove the old unencrypted deleted files after encryption.